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DETAILED ACTION 

1 . In response to the previous office action, Applicant has amended claims 1,12, 
21, 29, 36, and 40 and cancelled claims 7 and 26. Claims 1-6, 8-25, and 27-40 have 
been examined. 

Claim Objections 

2. All previous claim objections are withdrawn. 

3. Claims 21 and 29 are objected to because of the following informalities: 

Each claim recites the limitation "said person authentication system '* in claim 21 , 
lines 15-16 and claim 29, lines 12-13. There is insufficient antecedent basis for this 
limitation in the claim. It is being presumed that this refers to the system that is 
performing the portion of the method recited in lines 4-1 1 of claim 21 and lines 8-9 of 
claim 29. 

Appropriate correction is required. 

Claim Rejections - 35 USC § 101 

4. All previous rejections under 35 U.S.C. 101 are withdrawn. 



Application/Control Number: 09/944,192 
Art Unit: 2134 



Page 3 



Claim Rejections - 35 USC §112 

5. All previous rejections under 35 U.S.C. 1 12 are withdrawn. 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

6. Claims 1-20 and 36-40 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite forfaiting to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. 

Claim 1 recites, in lines 16-17, the limitation "when transmitting said person 
identification certificate to said person authentication system, said person identification 
certificate authority..." 

Since the system otherwise recited in claim 1 lacks such a transmission, this set 
of steps to be performed in the transmission lacks antecedent basis. Moreover, claim 1 
is claiming a person authentication system and it is unclear whether a functionality 
performed by an element that is not part of the system, but is merely communicating 
with it (i.e. the person identification certificate authority), is part of the claimed invention. 

For purposes of the art search, the limitations in claim 1 , lines 16-23 are deemed 
inherent. 

Claims 2-6 and 8-1 1 depend from rejected claim 1 , and include all the limitations 
of that claim, thereby rendering those dependent claims indefinite. 
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Claim 12 recites that the person identification certificate authority is part of the 
person authentication system (lines 3-4) but also recites that the person identification 
certificate authority communicates with the person authentication system (see lines 14- 
16), implying that it is not part of the person authentication system. This contradiction 
renders the claim indefinite. 

For purposes of the art search, the limitations in claim 12, lines 14-19 are 
deemed inherent. 

Claims 13-20 depend from rejected claim 12, and include all the limitations of 
that claim, thereby rendering those dependent claims indefinite. 

Claim 36 recites an apparatus comprising an authentication system that receives 
a certificate from a person identification certificate authority that is a third-party. Since 
the person identification certificate authority is a third-party, it is unclear whether the 
authority is not part of the apparatus itself; therefore, it is unclear whether the limitations 
in lines 10-15 describing the manner in which the person identification certificate 
authority functions are part of the claimed invention. Since the metes and bounds of the 
claimed invention are indeterminate, the claim is indefinite. 

For purposes of the art search, it is being presumed that the person identification 
certificate authority is not part of the claimed invention, and the limitations in claim 36, 
lines 1 0-1 5 are thus inherent. 

Claims 37-39 depend from rejected claim 36, and include all the limitations of 
that claim, thereby rendering those dependent claims indefinite. 
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Claim 40 recites a program being executed on a single computer system that 
receives a certificate from a person identification certificate authority that is a third-party. 
Since the person identification certificate authority is a third-party, it is unclear whether 
the authority is embodied on that computer; therefore, it is unclear whether the 
limitations in lines 16-25 describing the manner in which the person identification 
certificate authority functions are part of the claimed invention. Since the metes and 
bounds of the claimed invention are indeterminate, the claim is indefinite. 

For purposes of the art search, it is being presumed that the person identification 
certificate authority is not part of the claimed invention, and the limitations in claim 40, 
lines 16-25 are thus inherent. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international application 
by another who has fulfilled the requirements of paragraphs (1 ), (2), and (4) of section 371 (c) of this 
title before the invention thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act 
of 1999 (AIPA) and the Intellectual Property and High Technology Technical 
Amendments Act of 2002 do not apply when the reference is a U.S. patent resulting 
directly or indirectly from an international application filed before November 29, 2000. 
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Therefore, the prior art date of the reference is determined under 35 U.S.C. 102(e) prior 
to the amendment by the AIPA (pre-AlPA 35 U.S.C. 102(e)). 

7. Claims 1, 9, 36, 38 and 40 are rejected under 35 U.S.C. 102(e) as being 

anticipated by U.S. Patent No. 6,256,737 to Bianco et al. 

Regarding claim 1, Bianco discloses a person authentication system comprising: 
an entity for executing person authentication (computer 208 containing biometric 

device object 722), 

wherein said entity acquires a template from a person identification certificate 
storing template information (biometric template) including said template and generated 
by a third-party agency (biometric server 1 04) serving as a person identification 
certificate authority (col. 24, lines 21-31), 

All information sent from the server, including the template, is encrypted (see 
column 56, lines 62-65) and must necessarily be decrypted before being used (see 
column 55, lines 32-35) and 

executes person authentication on the basis of the acquired template (col. 24, 
lines 37-39). 

Bianco further discloses that all transactions both with the server and with the 
biometric identity device are encrypted using public key cryptography and processed 
using the public key system engine (see column 56, lines 40-65). 

Regarding claim 9, Bianco teaches all the limitations of claim 1 , and further 
teaches 
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that said entity is a user device serving as a data processing apparatus including 
data accessible by a user identified by said person identification certificate (computer 
208; col. 11, line 66, through col. 12, line 22), and 

that said user device compares a template, which is acquirable from the person 
identification certificate acquired from said person identification certificate 
authority, with sampling information provided by the user (col. 24, lines 21-43, and col. 
25, lines 31-50), 

and said user device allows the user to start accessing said user device, 
provided that said template and said sampling information match with each other (col. 
24, lines 40-56). 

Regarding claims 36 and 38, this is an information-processing-apparatus version 
of the claimed system discussed above (claims 1 and 4), wherein all claim limitations 
have been addressed. Thus, for the reasons provided above, such claims also are 
anticipated. 

Regarding claim 40, Bianco discloses a program-providing-medium version (see 
column 14, lines 62-67) of the claimed system discussed above (claim 1 ), wherein all 
claim limitations have been addressed. Thus, for the reasons provided above, such a 
claim also is anticipated. 



Claim Rejections - 35 USC § 103 



Application/Control Number: 09/944,192 
Art Unit: 2134 



Page 8 



The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. Claims 1-3, 8, 10, 36, 37, 39 and 40 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over U.S. Patent No. 6,310,966 to Dulude et al. in view of Schneier, 
"Applied Cryptography," 1996, pp. 31-32. 

Regarding claim 1 , Dulude discloses a person authentication system comprising: 
an entity for executing person authentication (receiver station 42), 
wherein said entity acquires a template from a person identification certificate 
storing template information (biometric certificate 68) including said template and 
generated by a third-party agency (registration authority 34) comprising encrypted 
information (a digital signature) serving as a person identification certificate authority 
(col. 4, lines 12-65, and col. 6, lines 1-17 and 32-34). Received user sampling 
information is also optionally encrypted (see column 5, lines 63-67). A receiving unit that 
receives the encrypted template and encrypted sampling information is shown (see 
figure 5, inputs 46 and 68). The system executes person authentication on the basis of 
the acquired decrypted template (col. 6, lines 58-65, and col. 7, lines 33-44). 

Dulude does not disclose the manner by which the user sampling information is 
encrypted, or whether a common unit is to be used for decrypting the encrypted 
template and the encrypted sampling information. 
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Schneier discloses the use of public-key cryptography in all communications 
between a computer and those with whom it communicates, where any user who 
wishes to communicate with a particular computer uses the same public key, which is 
then decrypted using the receiver's private key. Since all incoming communications are 
being encrypted using the same algorithm, a common decryptor would therefore be 
used on the receiving end. Schneier further suggests that this is done so that someone 
listening in cannot recover the message (see Section 2.5). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to implement the invention of Dulude by using public-key 
cryptography for all communications to the receiver, as disclosed by Schneier, so that 
someone listening in cannot recover the message. 

Regarding claim 2, Dulude further teaches that the person identification 
certificate authority includes a digital signature written by said person identification 
certificate authority (biometric certificate 68 contains digital signature 22; Fig. 2; col. 4, 
lines 55-65). 

Regarding claim 3, Dulude further teaches that 

said person identification certificate authority verifies the identification of a person 
requesting a person identification certificate to be issued (col. 5, lines 16-25), 

acquires a template serving as person identification data of said person 
requesting the person identification certificate to be issued (col. 4, lines 25-32), and 

generates a person identification certificate storing template information including 
said template (col. 4, lines 55-65). 
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Regarding claim 8, Dulude further teaches that 

said entity is a service provider which provides services to a user identified by 
said person identification certificate (receiving section 42 is service provider; col. 8, lines 
34-45, incorporating Vaeth, US 6,035,402; see Vaeth, col. 6, lines 5-26), and 

that said service provider compares a template (registration biometric data 72), 
which is acquirable from the person identification certificate acquired from said person 
identification certificate authority (col. 4, lines 55-65, and col. 6, lines 32-34), with 
sampling information provided by the user (transaction biometric data 46) and starts 
providing services with the user, provided that said template and said sampling 
information match with each other (col. 7, lines 33-67). 

Regarding claim 10, Dulude further teaches that 

said template (registration biometric data) is composed any one of: biometric 
information of a person; non-biometric information; any combination of two or more of 
said biometric information and said non-biometric information; and a combination of any 
of said information and a password (template composed of biometric information; col. 4, 
lines 26-32 and 55-57). 

Regarding claims 36 and 37, these are an information-processing-apparatus 
version of the claimed system discussed above (claims 1 and 2), wherein all claim 
limitations have been addressed. Thus, for the reasons provided above, such claims 
also are obvious. 

Regarding claim 39, Dulude further teaches that 
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said information processing apparatus compares a template (registration 
biometric data 72), which is acquirable from the person identification certificate acquired 
from said person identification certificate authority (col. 4, lines 55-65, and col. 6, lines 
32-34), with sampling information provided by the user (transaction biometric data 46) 
and starts providing services with the user, provided that said template and said 
sampling information match with each other (col. 7, lines 33-67). 

Regarding claim 40, since Dulude's invention is being executed using 
computerized equipment, the claimed program must be embodied on a computer- 
readable medium. This is a program-providing-medium version of the claimed system 
discussed above (claim 1), wherein all claim limitations have been addressed. Thus, for 
the reasons provided above, such a claim also is obvious. 

9. Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. 
Patent No. 6,310,966 to Dulude et al. in view of Schneier, "Applied Cryptography," 
1996, pp. 31-32 as applied to claim 1 above and further in view of U.S. Patent No. 
6,035,402 to Vaeth et al. 

Dulude further teaches that said entity is any one of a service provider which 
provides services to a user identified by said person identification certificate, a user 
device accessed by a user identified by said person identification certificate, and said 
person identification certificate authority (receiving section 42 is service provider; col. 8, 
lines 34-45, incorporating by reference Vaeth, US 6,035,402; see Vaeth, col. 6, lines 5- 
26). 
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10. Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over Dulude in 
view of Schneier, "Applied Cryptography," 1996, pp. 31-32 as applied to claim 1 .above 
and further in view of Hughes ("Digital Envelopes and Signatures," InstantDoc #2698, 
WindowslTPro, September 1996). 

Dulude and Schneier teach all the limitations of claim 1, but does not explain the 
further limitation that said person identification certificate authority stores said template 
in said person identification certificate after encrypting said template. 

However, Hughes teaches a method for securing the transmission of a message 
wherein both the encryption of the message and the digital certificate (signature) for the 
message sender are employed concurrently for the purpose of providing both privacy 
and authentication (page 3, paragraph 5). 

Therefore, it would be obvious to a person of ordinary skill in the computer art at 
the time the invention was made to modify the system of Dulude and Schneier with the 
teaching of Hughes such that said person identification certificate authority stores said 
template in said person identification certificate after encrypting said template, 
particularly where the biometric database 66 which stores the biometric certificate 68 is 
accessed over a network connection (col. 5, lines 33-44 and col. 6, lines 32-43). One 
would be motivated to do so in order to ensure both privacy and authentication in 
transmission of the biometric certificate over a network. 
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11. Claims 4 and 1 1 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Bianco as applied to claim 1 above in view of Diffie et al., "Authentication and 
Authenticated Key Exchanges," Designs, Codes and Cryptography, Kluwer Academic 
Publishers, 1992. 

Regarding claim 4, Bianco teaches all the limitations of claim 1, and further 
teaches that said person identification certificate authority transmits the person 
identification certificate to said entity (col. 24, lines 21-32). 

Although Bianco teaches that the transmission of the certificate between said 
person identification certificate authority and said entity is encrypted using an 
asymmetric public key protocol (col. 55, lines 29-57, and col. 56, lines 52-65), Bianco 
does not explain that in the process of acquiring the person identification certificate from 
said person identification certificate authority, said entity performs mutual authentication 
between said entity and said person identification certificate authority, and said person 
identification certificate authority transmits the person identification certificate provided 
that said mutual authentication is successfully completed. 

However, Diffie teaches a method of two-party mutual authentication wherein the 
parties exchange digital signatures (page 9, first paragraph) in addition to their public 
cryptographic keys for the purpose of enhancing security by assuring that each of the 
parties exchanging a public key is authentic and not an imposter (page 2, paragraph 3). 

Therefore, it would be obvious to a person of ordinary skill in the computer art at 
the time the invention was made to modify the system of Bianco with the teaching of 
Diffie such that in the process of acquiring the person identification certificate from said 
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person identification certificate authority, said entity performs mutual authentication 
between said entity and said person identification certificate authority, and said person 
identification certificate authority transmits the person identification certificate provided 
that said mutual authentication is successfully completed. One would be motivated to 
do so in order to enhance network security by assuring that each of the parties 
exchanging a public key is authentic and not an imposter. 

Regarding claim 11, Bianco teaches all the limitations of claim 1, and further 
teaches 

that said entity and said person identification certificate authority have an 
encryption processing unit, respectively, (col. 56, lines 58-65). 

But Bianco does not explain that when data is transmitted between said entity 
and said person identification certificate authority, mutual authentication is performed, a 
data-transmitting party generates a digital signature and adds it to data to be 
transmitted, and a data-receiving party verifies the digital signature. 

However, Diffie teaches a method of two-party mutual authentication wherein the 
parties exchange digital signatures (page 9, first paragraph) in addition to their public 
cryptographic keys for the purpose of enhancing security by assuring that each of the 
parties exchanging a public key is authentic and not an imposter (page 2, paragraph 3). 

Therefore, it would be obvious to a person of ordinary skill in the computer art at 
the time the invention was made to modify the system of Bianco with the teaching of 
Diffie such that when data is transmitted between said entity and said person 
identification certificate authority, mutual authentication is performed, a data-transmitting 
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party generates a digital signature and adds it to data to be transmitted, and a data- 
receiving party verifies the digital signature. One would be motivated to do so in order 
to enhance network security by assuring that each of the parties exchanging a public 
key is authentic and not an imposter. 

12. Claims 12-14, 16-18, and 20 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. Patent No. 5,930,804 to Yu et ai. in view of U.S. Patent No. 
6,310,966 to Dulude et al. further in view of Schneier, "Applied Cryptography," 1996, pp. 
31-32. 

Regarding claim 12, Yu discloses a person authentication system comprising: 
a person identification certificate authority (authentication center 24 containing 

biometric server 42) which acquires a template (stored biometric data),^ 

executes person authentication on the basis of said acquired template (col. 11, 

lines 5-13), and 

issues a verification certificate, provided that said person authentication is 
successfully passed (col. 1 1 , lines 66-67, and col. 12, lines 33-43). 

But Yu does not explain that the person identification certificate authority 
acquires the template from a person identification certificate storing template 
information including said template. 

However, Dulude teaches an authentication system wherein a template 
(registration biometric data 20) is stored within a person identification certificate 
(biometric certificate 68; Fig. 2; col. 4, lines 55-65; col. 5, lines 33-35) for the purpose of 



Application/Control Number: 09/944,192 Page 16 

Art Unit: 2134 

facilitating increased security and accuracy in the authentication of electronic 
transactions by binding the biometric identification of consumers with digital certificates 
(col. 3, lines 28-34). 

Therefore, it would be obvious to a person of ordinary skill in the computer art at 
the time the invention was made to modify the system of Yu with the teaching of Dulude 
such that the person identification certificate authority acquires the template from a 
person identification certificate storing template information including said template. 
One would be motivated to do so in order to facilitate increased security and accuracy in 
the authentication of electronic transactions by binding the biometric identification of 
consumers with digital certificates. 

Yu and Dulude also do not disclose the manner by which the user sampling 
information is encrypted, or whether a common unit is to be used for decrypting the 
encrypted template and the encrypted sampling information. 

Schneier discloses the use of public-key cryptography in all communications 
between a computer and those with whom it communicates, where any user who 
wishes to communicate with a particular computer uses the same public key, which is 
then decrypted using the receiver's private key. Since all incoming communications are 
being encrypted using the same algorithm, a common decryptor would therefore be 
used on the receiving end. Schneier further suggests that this is done so that someone 
listening in cannot recover the message (see Section 2.5). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to implement the invention of Yu and Dulude by using public- 
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key cryptography for all communications to the receiver, as disclosed by Schneier, so 
that someone listening in cannot recover the message. 

Regarding claim 13, the modified invention of Yu, Dulude, and Schneier is relied 
upon as applied to claim 12, and Yu further teaches that the verification certificate 
issued by said person identification certificate authority includes a digital signature 
written by said person identification certificate authority (Yu, col. 12, lines 36-57). 

Regarding claim 14, the modified invention of Yu, Dulude, and Schneier is relied 
upon as applied to claim 12, and Yu further teaches that 

said person identification certificate authority acquires a template serving as 
person identification data of said person requesting the person identification certificate 
to be issued (col. 9, lines 54-63). 

Yu, Dulude, and Schneier as heretofore cited do not explicitly explain that said 
person identification certificate authority verifies the identification of a person requesting 
a person identification certificate to be issued and that said person identification 
certificate authority generates a person identification certificate storing template 
information including said template. 

However, Dulude teaches an authentication system wherein said person 
identification certificate authority verifies the identification of a person requesting a 
person identification certificate to be issued (col. 5, lines 15-25) and wherein a person 
identification certificate authority (registration authority 34) generates a person 
identification certificate (biometric certificate 68) storing template information 
(registration biometric data 20) including said template (Fig. 2; col. 4, lines 55-65) for the 
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purpose of facilitating increased security and accuracy in the authentication of electronic 
transactions by binding the biometric identification of consumers with digital certificates 
(col. 3, lines 28-34). 

Therefore, it would be obvious to a person of ordinary skill in the computer art at 
the time the invention was made to modify the modified invention of Yu, Dulude, and 
Schneier as applied to claim 12 with the further teaching of Dulude such that said 
person identification certificate authority verifies the identification of a person requesting 
a person identification certificate to be issued and that said person identification 
certificate authority generates a person identification certificate storing template 
information including said template. One would be motivated to do so in order to 
facilitate increased security and accuracy in the authentication of electronic transactions 
by binding the biometric identification of consumers with digital certificates. 

Regarding claim 20, the modified invention of Yu, Dulude, and Schneier is relied 
upon as applied to claim 12, and Yu further teaches that said template is composed of 
any one of: biometric information of a person; non-biometric information; any 
combination of two or more of said biometric information and said non-biometric 
information; and a combination of any of said information and a password (biometric 
data; col. 9, lines 54-67, and col. 10, lines 61-67). 

Regarding claim 16-18, Yu further discloses that authentication information for 
the session is sent to the user by the server. This information may be a session 
certificate that is valid for the user session (see column 12, lines 9-42). 
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13. Claims 19 and 35 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over U.S. Patent No. 5,930,804 to Yu et al. in view of U.S. Patent No. 6,310,966 to 
Dulude et al. further in view of Schneier, "Applied Cryptography," 1996, pp. 31-32 as 
applied to claims 12 and 29 and further in view of U.S. Patent No. 6,298,153 to OishL 

Yu, Dulude, and Schneier do not disclose the deletion of certificates after their 

use. 

Oishi discloses the use of one-time certificates (which are discarded after use) 
that are authenticated with a digital signature, in order to retain the anonymity of a user 
(see column 18, lines 25-43). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to modify the invention of Yu, Dulude, and Schneier by using 
one-time certificates, as disclosed by Oishi, in order to retain the anonymity of a user. 

14. Claim 15 is are rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. 
Patent No. 5,930,804 to Yu et al. in view of U.S. Patent No. 6,310,966 to Dulude et al. 
further in view of Schneier, "Applied Cryptography," 1996, pp. 31-32 as applied to 
claims 12 and 29 above in view of Diffie et al., "Authentication and Authenticated Key 
Exchanges," Designs, Codes and Cryptography, Kluwer Academic Publishers, 1992. 

Yu discloses a transaction with the biometric server, but does not disclose a 
mutual authentication in the accessing of that server. 

Diffie teaches a method of two-party mutual authentication wherein the parties 
exchange digital signatures (page 9, first paragraph) in addition to their public 
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cryptographic keys for the purpose of enhancing security by assuring that each of the 
parties exchanging a public key is authentic and not an imposter (page 2, paragraph 3). 

Therefore, it would be obvious to a person of ordinary skill in the computer art at 
the time the invention was made to modify the system of Yu, Dulude, and Schneier with 
the teaching of Diffie such that in the process of acquiring the person identification 
certificate from said person identification certificate authority, said entity performs 
mutual authentication between said entity and said person identification certificate 
authority, and said person identification certificate authority transmits the person 
identification certificate provided that said mutual authentication is successfully 
completed. One would be motivated to do so in order to enhance network security by 
assuring that each of the parties exchanging a public key is authentic and not an 
imposter. 



Double Patenting 



The nonstatutory double patenting rejection is based on a judicially created 
doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the 
unjustified or improper timewise extension of the "right to exclude" granted by a patent 
and to prevent possible harassment by multiple assignees. A nonstatutory 
obviousness-type double patenting rejection is appropriate where the conflicting claims 
are not identical, but at least one examined application claim is not patentably distinct 
from the reference claim(s) because the examined application claim is either anticipated 
by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 
F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 
USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 
1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 
F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 
USPQ 644 (CCPA 1969). 
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A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) 
may be used to overcome an actual or provisional rejection based on a nonstatutory 
double patenting ground provided the conflicting application or patent either is shown to 
be commonly owned with this application, or claims an invention made as a result of 
activities undertaken within the scope of a joint research agreement. 

Effective January 1 , 1994, a registered attorney or agent of record may sign a 
terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 
37 CFR 3.73(b). 

15. Claims 1-5 t 7, 10, 12-15, 36-38, and 40 are rejected on the ground of 
nonstatutory obviousness-type double patenting as being unpatentable over claims 1 , 9, 
10, and 40 of U.S. Patent No. 7,059,516 in view of Schneier, "Applied Cryptography," 
1996, pp. 31-32. 

Regarding claims 1, 12, and 36, the '516 patent discloses the acquisition of a 
certificate including a template from a certificate authority (see claim 1, second 
limitation); the template is encrypted (see claim 1, fifth limitation); the received template 
is compared with the received sampling information from the user (see claim 1, fifth 
limitation), thus constituting a receiving unit; extraction of the template from the 
certificate, which necessarily requires decryption (see claim 1, fifth limitation). 

The '516 patent does not disclose that the user sampling information is 
encrypted, or whether a common unit is to be used for decrypting the encrypted 
template and the encrypted sampling information. 

Schneier discloses the use of public-key cryptography in all communications 
between a computer and those with whom it communicates, where any user who 
wishes to communicate with a particular computer uses the same public key, which is 
then decrypted using the receiver's private key. Since all incoming communications are 
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being encrypted using the same algorithm, a common decryptor would therefore be 
used on the receiving end. Schneier further suggests that this is done so that someone 
listening in cannot recover the message (see Section 2.5). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to implement the invention of the '516 patent by using public- 
key cryptography for all communications to the receiver, as disclosed by Schneier, so 
that someone listening in cannot recover the message. 

As per claims 2, 13, and 37, the certificate contains the digital signature of the 
certifying authority (see claim 1 , fourth limitation). 

As per claims 3 and 14, a certificate is generated (see claim 1, seventh 
limitation). 

As per claims 4, 15, and 38, mutual authentication is performed (see claim 9). 
As per claim 5, the template is stored in the certificate in encrypted form. 
As per claims 10 and 20, biometric or non-biometric information may be used 
(see claim 10). 

As per claim 40, the method is executable on a program providing medium (see 
claim 24). 

16. Claims 1 , 2, 5-7, 10, 12, 13, 36, 37, 39, and 40 are provisionally rejected on the 
ground of nonstatutory obviousness-type double patenting as being unpatentable over 
claims 1, 2, 5, 12, and 24 of copending Application No. 09/944,424 in view of Schneier, 
"Applied Cryptography," 1996, pp. 31-32. 
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As per claim 1,12, and 36, a certificate is acquired from a certificate authority 
having an encrypted template (see claims 1 and 5); the template and user information 
that has been received are compared (see preamble of claim 1 ); since the template is 
encrypted, it must necessarily be decrypted in order to be used. 

The '424 application does not disclose that the user sampling information is 
encrypted, or whether a common unit is to be used for decrypting the encrypted 
template and the encrypted sampling information. 

Schneier discloses the use of public-key cryptography in all communications 
between a computer and those with whom it communicates, where any user who 
wishes to communicate with a particular computer uses the same public key, which is 
then decrypted using the receiver's private key. Since all incoming communications are 
being encrypted using the same algorithm, a common decryptor would therefore be 
used on the receiving end. Schneier further suggests that this is done so that someone 
listening in cannot recover the message (see Section 2.5). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to implement the invention of the '424 application by using 
public-key cryptography for all communications to the receiver, as disclosed by 
Schneier, so that someone listening in cannot recover the message. 

As per claims 2, 13, and 37, a digital signature written by the authority is 
disclosed (see claim 2). 

As per claim 5, the template is stored in the certificate (see claim 1). 

As per claim 39, the system may be a service provider (see claim 12). 
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As per claims 10 and 20, biometric or non-biometric information may be used 
(see claim 12). 

As per claim 40, the method is executable on a program providing medium (see 
claim 24). 

This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 

17. Claims 1-5, 7, 10, 12-15, 36-38, and 40 are provisionally rejected on the ground 
of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 , 
3, 9, and 1 1 of copending Application No. 09/944,501 in view of Schneier, "Applied 
Cryptography," 1996, pp. 31-32. 

As per claim 1,12, and 36, a certificate is acquired from a certificate authority 
having an encrypted template; the template and user information that has been received 
are compared (see preamble of claim 1 ); since the template is encrypted, it is decrypted 
in order to be used (see claim 1 ). Public keys are used (see claim 3). 

The '501 application does not disclose that the user sampling information is 
encrypted, or whether a common unit is to be used for decrypting the encrypted 
template and the encrypted sampling information. 

Schneier discloses the use of public-key cryptography in all communications 
between a computer and those with whom it communicates, where any user who 
wishes to communicate with a particular computer uses the same public key, which is 
then decrypted using the receiver's private key. Since all incoming communications are 
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being encrypted using the same algorithm, a common decryptor would therefore be 
used on the receiving end. Schneier further suggests that this is done so that someone 
listening in cannot recover the message (see Section 2.5). 

Therefore it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to implement the invention of the '501 application by using 
public-key cryptography for all communications to the receiver, as disclosed by 
Schneier, so that someone listening in cannot recover the message. 

As per claim 2, 13, and 37, a digital signature written by the authority is disclosed 
(see claim 9). 

As per claims 3 and 14, a certificate is generated (see claim 1). 
As per claims 4, 15, and 38, mutual authentication is performed (see claim 8). 
As per claim 5, the template is stored in the certificate (see claim 1 ). 
As per claims 10 and 20, biometric or non-biometric information may be used 
(see claim 11). 

As per claim 40, the method is executable on a program providing medium (see 
claim 27). 

This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 



Allowable Subject Matter 
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1 8. Claims 21 -25 and 27-35 would be allowable if base claims 21 and 29 were 
rewritten or amended to overcome the claim objections set forth in this Office action. 

19. The following is a statement of reasons for the indication of allowable subject 
matter: 

Claims 21 and 29 as amended recite the re-encryption of a template at the 
certificate authority, using a decryption with the CA's private key and a re-encryption 
using a user's public key. Though these particular decryptions and encryptions are 
commonly done in the art in processing certificate signatures, no art could be found that 
would suggest the operation being performed on the template itself. 

All other claims would be allowable based upon their dependency upon an 
allowable base claim. 

Response to Arguments 

20. Regarding claims 1-6, 8-20, and 36-40, Applicant's arguments filed 22 
September 2006 have been fully considered but they are not persuasive, due to the fact 
that the amendments to the claims presented are not being considered to actually 
narrow the scopes of the claims from the previous office action. 



Conclusion 
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21 . Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 



22. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Matthew E. Heneghan, whose telephone number is 
(571 ) 272-3834. The examiner can normally be reached on Monday-Friday from 8:30 
AM - 4:30 PM Eastern Time. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, can be reached at (571) 272-3799. 

Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
P.O. Box 1450 
Alexandria, VA 22313-1450 
Or faxed to: 
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(571)273-3800 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (571 ) 272- 



Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



2100. 



MEH 



December 7, 2006 





